diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2014-09-08 11:49:40 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-09-08 19:18:19 +0200 |
commit | ffe42e0158df6e4b2aad91e9a0cd75aff05be8c4 (patch) | |
tree | 8036ecfd2dc078017ec7b88b60ca660c614ad42e | |
parent | 191d7f7ce3de10d9e19eaa0a6ab3319bcd4ca95d (diff) | |
download | sssd-ffe42e0158df6e4b2aad91e9a0cd75aff05be8c4.tar.gz sssd-ffe42e0158df6e4b2aad91e9a0cd75aff05be8c4.tar.xz sssd-ffe42e0158df6e4b2aad91e9a0cd75aff05be8c4.zip |
LDAP: Skip dereferenced entries that we are not permitted to read
https://fedorahosted.org/sssd/ticket/2421
In case we dereference an entry, for which we have /some/ permissions
for reading, but we only request attributes that we can't access, the
dereference control only returns the DN.
This is also the case with the current version of 389DS for cases where
no entries at all are readable. In this case, the server should not return
the DN at all, though. This DS bug was tracked as
https://fedorahosted.org/389/ticket/47885
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 2284e50c801a53541016eb9a5af00d1250d36afb)
-rw-r--r-- | src/providers/ldap/sdap.c | 7 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async.c | 8 |
2 files changed, 11 insertions, 4 deletions
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c index 8ebf1ea96..77aba64bc 100644 --- a/src/providers/ldap/sdap.c +++ b/src/providers/ldap/sdap.c @@ -561,10 +561,11 @@ errno_t sdap_parse_deref(TALLOC_CTX *mem_ctx, "Dereferenced DN: %s\n", orig_dn); if (!dref->attrVals) { - DEBUG(SSSDBG_MINOR_FAILURE, - "Dereferenced entry [%s] has no attributes\n", + DEBUG(SSSDBG_FUNC_DATA, + "Dereferenced entry [%s] has no attributes, skipping\n", orig_dn); - ret = EINVAL; + *_res = NULL; + ret = EOK; goto done; } diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c index 876fe74ed..92dca3a52 100644 --- a/src/providers/ldap/sdap_async.c +++ b/src/providers/ldap/sdap_async.c @@ -1078,6 +1078,12 @@ static errno_t add_to_deref_reply(TALLOC_CTX *mem_ctx, { int i; + if (res == NULL) { + /* Nothing to add, probably ACIs prevented us from dereferencing + * the attribute */ + return EOK; + } + for (i=0; i < num_maps; i++) { if (res[i]->attrs == NULL) continue; /* Nothing in this map */ @@ -1791,7 +1797,7 @@ static errno_t sdap_x_deref_parse_entry(struct sdap_handle *sh, } ret = add_to_deref_reply(state, state->num_maps, - &state->dreply, res); + &state->dreply, res); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "add_to_deref_reply failed.\n"); goto done; |